Cisco ASA: VPNs With Overlapping Subnets
Jun19

Cisco ASA: VPNs With Overlapping Subnets

KB ID 0001446 Problem I’ve seen this pop up a few times in forums, and I’ve even seen people post “It cant be done, you will need to change one of the subnets,” ¬†but to be honest, it’s not that difficult. We simply have to do some NAT. This is the bit people struggle with, with VPNs usually we need to STOP NAT being applied to VPN traffic, and we still do, we simply NAT the traffic before we sent it over...

Read More
Cisco ASA ‘Ping Source?’
Jun13

Cisco ASA ‘Ping Source?’

KB ID 0001445 Problem To be honest, the title is a little misleading, on an ASA you can specify which interface to launch a ‘ping’ from, but that’s it. I found myself in a situation today where I was working on a client firewall and I was trying to bring up a VPN tunnel, and I did not have access to any of their machines, and nor did they, (hence the reason for the VPN tunnel!) Well we can’t use good old...

Read More
Cisco Stacking 2960-X Catalyst Switches
Jun05

Cisco Stacking 2960-X Catalyst Switches

KB ID 0001444 Problem You can stack up to 8 2960-X Switches*, you will require the stack modules and cables, (shown below).  *Note: If you are studying for an exam, and the question is StackWize the answer is 9. Solution Stack Modules: Power down the switch, remove the blanking plate and fit the module, then when powered on you can use a show inventory command to make sure the module has been detected correctly. Switch#show inventory...

Read More
Cisco ASA Site To Site VPN IKEv2 “Using CLI”
May06

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429 Problem You want a secure IPSEC VPN between two sites using IKEv2. Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article; Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI) Solution Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s...

Read More
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
May06

Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall

KB ID 0001428 Problem I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA.¬† It’s been a few years since I had to tunnel ¬†‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops...

Read More
Cisco ASA: Group-Lock WARNING
Apr12

Cisco ASA: Group-Lock WARNING

KB ID 0001423 Problem You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this; Petes-ASA(config)# username fred.bloggs attributes Petes-ASA(config-username)# group-lock value SOME-VALUE WARNING: tunnel-group SOME-VALUE does not exist Solution The reason you are seeing this...

Read More